Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive operations to collect intelligence, dating back as early as 2014. The group typically targets U.S. and the Middle Eastern military, as well as other organizations with government personnel, via complex social engineering campaigns.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
ATT&CK Technique | Opportunity Space | AD Technique | Use Case |
---|---|---|---|
T1003 - OS Credential Dumping | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
T1016 - System Network Configuration Discovery | There is an opportunity to influence an adversary to move toward systems you want them to engage with. | DTE0011 - Decoy Content | A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services. |
T1027 - Obfuscated Files or Information | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information. |
T1033 - System Owner/User Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system. |
T1056 - Input Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter. |
T1057 - Process Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary. |
T1057 - Process Discovery | There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. | DTE0016 - Decoy Process | A defender can run decoy processes on a system to entice an adversary. |
T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity. |
T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted. |
T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0034 - System Activity Monitoring | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
T1070 - Indicator Removal on Host | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. | DTE0001 - Admin Access | A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system. |
T1070 - Indicator Removal on Host | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity. |
T1071 - Application Layer Protocol | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1082 - System Information Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery. |
T1083 - File and Directory Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can utilize decoy files and directories to provide content that could be used by the adversary. |
T1098 - Account Manipulation | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc. |
T1098 - Account Manipulation | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0010 - Decoy Account | A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation. |
T1098 - Account Manipulation | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can enforce strong authentication requirements such as password changes, two factor authentication, etc. to impact or disrupt an adversary's activity. |
T1102 - Web Service | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic. |
T1105 - Ingress Tool Transfer | There is an opportunity to collect network data and analyze the adversary activity it contains. | DTE0028 - PCAP Collection | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
T1113 - Screen Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can display decoy content on the screen which may be of interest to an adversary in an attempt to elicit further engagement. |
T1114 - Email Collection | There is an opportunity to influence an adversary to move toward systems you want them to engage with. | DTE0011 - Decoy Content | A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems. |
T1204 - User Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence. |
T1547 - Boot or Logon Autostart Execution | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0006 - Baseline | A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup. |
T1555 - Credentials from Password Stores | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |
T1560 - Archive Collected Data | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable. |
T1564 - Hide Artifacts | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would. |
T1564 - Hide Artifacts | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts. |
T1566 - Phishing | A phishing email can be detected and blocked from arriving at the intended recipient. | DTE0019 - Email Manipulation | A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target. |
T1566 - Phishing | A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. | DTE0023 - Migrate Attack Vector | A defender can move suspicious emails to a decoy system prior to opening and examining the email. |
T1566 - Phishing | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
T1566 - Phishing | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
T1571 - Non-Standard Port | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |